Blocking Applications

Updated: September 22, 2010

Applies To: Windows 7

Windows SteadyState allows you to create a list of programs to block for each user. Windows 7 includes a more robust feature for controlling the applications that users can run: AppLocker (see Figure 6). AppLocker works with the LGPOs and GPOs that are deployed in Active Directory, and it provides a significant advantage for shared computer environments. Applocker is supported by the Windows 7 Enterprise or Windows 7 Ultimate operating systems.

AppLocker is more flexible than earlier tools for managing the applications that users can run, including software restriction policies and Windows SteadyState. Instead of providing a list of programs to block, AppLocker allows you to specify which applications users are allowed to run. Doing so can make controlling applications easier because it allows you to prevent even unknown applications from running on the computer.

Figure 6 Defining an AppLocker rule by using the Create Executable Rules Wizard

With AppLocker, you can:

Define rules based on file attributes, such as the file’s digital signature, including the publisher, product name, file name, or file version. For example, you can create a rule that specifically allows any version of Adobe Acrobat Reader to run.

Create exceptions to rules. For example, you can create a rule that allows all built-in Windows programs to run except the Registry Editor (Regedit.exe), preventing users from trying to make changes to the registry.

Creating AppLocker rules by using the Create Executable Rules Wizard is easy. You can learn more about AppLocker on TechNet.